research-article

Automated testing for SQL injection vulnerabilities: an input mutation approach

Authors:

Lionel C. Briand,

Nadia AlshahwanAuthors Info & Claims

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

Pages 259 - 269

https://doi.org/10.1145/2610384.2610403

Published: 21 July 2014 Publication History

Abstract

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.

References

[1]

N. Antunes, N. Laranjeiro, M. Vieira, and H. Madeira. Effective detection of SQL/XPath injection vulnerabilities in web services. In Proceedings of the 6th IEEE International Conference on Services Computing (SCC ’09), pages 260–267, 2009.

Digital Library

[2]

N. Antunes and M. Vieira. Detecting SQL injection vulnerabilities in web services. In Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC ’09), pages 17–24, 2009.

Digital Library

[3]

D. Appelt, N. Alshahwan, and L. Briand. Assessing the impact of firewalls and database proxies on sql injection testing. In Proceedings of the 1st International Workshop on Future Internet Testing, 2013.

[4]

D. Appelt, N. Alshahwan, C. D. Nguyen, and L. Briand. Black-box sql injection testing. Technical report, University of Luxembourg and University College London, 2014.

[5]

C. Bartolini, A. Bertolino, E. Marchetti, and A. Polini. Ws-taxi: A wsdl-based testing tool for web services. In ICST, pages 326–335, 2009.

Digital Library

[6]

T. Beery and N. Niv. Web application attack report, 2013.

[7]

A. Ciampa, C. A. Visaggio, and M. Di Penta. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems (SESS ’10), pages 43–49, 2010.

Digital Library

[8]

J. Coffey, L. White, N. Wilde, and S. Simmons. Locating software features in a soa composite application. In Web Services (ECOWS), 2010 IEEE 8th European Conference on, pages 99–106, 2010.

Digital Library

[9]

M. Cova, V. Felmetsger, and G. Vigna. Vulnerability analysis of web-based applications. In L. Baresi and E. Nitto, editors, Test and Analysis of Web Services, pages 363–394. Springer Berlin Heidelberg, 2007.

[10]

B. Efron and R. Tibshirani. An Introduction To The Bootstrap, volume 57. CRC press, 1993.

[11]

I. A. Elia, J. Fonseca, and M. Vieira. Comparing sql injection detection tools using attack injection: An experimental study. In Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE ’10), pages 289–298, 2010.

Digital Library

[12]

J. Fonseca, M. Vieira, and H. Madeira. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing (PRDC ’07), pages 365–372, 2007.

Digital Library

[13]

M. Fossi and E. Johnson. Symantec global internet security threat report, volume xiv, 2009.

[14]

X. Fu and K. Qian. SAFELI: SQL injection scanner using symbolic execution. In Proceedings of the workshop on Testing, Analysis, and Verification of Web Services and Applications (TAV-WEB ’08), pages 34–39, 2008.

Digital Library

[15]

W. G. Halfond, J. Viegas, and A. Orso. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE ’06), pages 13–15, 2006.

[16]

W. G. J. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE ’05), pages 174–183, 2005.

Digital Library

[17]

W. G. J. Halfond and A. Orso. Preventing SQL injection attacks using AMNESIA. In Proceedings of the 28th International Conference on Software Engineering (ICSE’ 06), pages 795–798, 2006.

Digital Library

[18]

C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st Usenix Security Symposium, 2012.

Digital Library

[19]

Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th International Conference on World Wide Web (WWW ’03), pages 148–159, 2003.

Digital Library

[20]

Y. Jia and M. Harman. An analysis and survey of the development of mutation testing. IEEE Transactions on Software Engineering, 37(5):649–678, 2011.

Digital Library

[21]

A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE ’09), pages 199–209, 2009.

Digital Library

[22]

I. Lee, S. Jeong, S. Yeo, and J. Moon. A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1):58–68, 2012.

[23]

R. Sekar. An eﬃcient black-box technique for defeating web application attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium, 2009.

[24]

H. Shahriar and M. Zulkernine. MUSIC: Mutation-based SQL injection vulnerability checking. In Proceedings of the 8th International Conference on Quality Software (QSIC’08), pages 77–86. IEEE, 2008.

Digital Library

[25]

L. K. Shar, H. B. K. Tan, and L. Briand. Mining sql injection and cross site scripting vulnerabilities using hybrid program analysis. In Software Engineering (ICSE), 2013 35th International Conference on, pages 642–651, 2013.

Digital Library

[26]

Y. Shin. Improving the identification of actual input manipulation vulnerabilities. In Proceedings of the 14th ACM SIGSOFT Symposium on Foundations of Software Engineering, 2006.

[27]

Y. Shin, L. Williams, and T. Xie. Sqlunitgen: Test case generation for sql injection detection. North Carolina State University, Raleigh Technical report, NCSU CSC TR, 21, 2006.

[28]

B. Smith, L. Williams, and A. Austin. Idea: using system level testing for revealing SQL injection-related error message information leaks. In Proceedings of the 2nd International Conference on Engineering Secure Software and Systems (ESSoS ’10), pages 192–200, 2010.

Digital Library

[29]

SQL Injection Wiki. SQL injection cheat sheet. http://www.sqlinjectionwiki.com/, 2013.

[30]

The Open Web Application Security Project (OWASP). Testing for SQL injection (owasp-dv-005). http://www.owasp.org, 2013.

[31]

M. Vieira, N. Antunes, and H. Madeira. Using web security scanners to detect vulnerabilities in web services. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems Networks (DSN ’09), pages 566–571, 2009.

[32]

W3C. Character entity references in HTML 4. http://www.w3.org/TR/html4/sgml/entities.html, 2012.

[33]

G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’07), pages 32–41, 2007.

Digital Library

[34]

K. Wei, M. Muthuprasanna, and S. Kothari. Preventing SQL injection attacks in stored procedures. In Proceedings of the Australian Software Engineering Conference (ASWEC ’06), pages 191–198, 2006.

Digital Library

[35]

Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS’06, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

Cited By

Gui ZWang EDeng BZhang MChen YWei SXie WWang B(2024)SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box DetectionApplied Sciences10.3390/app1416692914:16(6929)Online publication date: 7-Aug-2024
https://doi.org/10.3390/app14166929
Pooja Panadiya Prof. Manish Kumar Singhal (2024)Advanced Detection and Prevention of SQL Injection Attacks Using Machine Learning Techniques for Enhanced Web SecurityInternational Journal of Scientific Research in Science and Technology10.32628/IJSRST24116110111:6(554-564)Online publication date: 12-Dec-2024
https://doi.org/10.32628/IJSRST241161101
Zhan QHu XLi ZXia XLo DLi SRoychoudhury APaiva AAbreu RStorey M(2024)PS3: Precise Patch Presence Test based on Semantic Symbolic SignatureProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639134(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639134
Show More Cited By

Index Terms

Automated testing for SQL injection vulnerabilities: an input mutation approach
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

DeepSQLi: deep semantic learning for testing SQL injection
ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

Security is unarguably the most serious concern for Web applications, to which SQL injection (SQLi) attack is one of the most devastating attacks. Automatically testing SQLi vulnerabilities is of ultimate importance, yet is unfortunately far from ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

July 2014

460 pages

ISBN:9781450326452

DOI:10.1145/2610384

General Chair:
Corina S. Păsăreanu
NASA Ames, USA
,
Program Chair:
Darko Marinov
University of Illinois at Urbana-Champaign, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 July 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '14

Sponsor:

SIGSOFT

ISSTA '14: International Symposium on Software Testing and Analysis

July 21 - 25, 2014

CA, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

67
Total Citations
View Citations
1,269
Total Downloads

Downloads (Last 12 months)71
Downloads (Last 6 weeks)20

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gui ZWang EDeng BZhang MChen YWei SXie WWang B(2024)SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box DetectionApplied Sciences10.3390/app1416692914:16(6929)Online publication date: 7-Aug-2024
https://doi.org/10.3390/app14166929
Pooja Panadiya Prof. Manish Kumar Singhal (2024)Advanced Detection and Prevention of SQL Injection Attacks Using Machine Learning Techniques for Enhanced Web SecurityInternational Journal of Scientific Research in Science and Technology10.32628/IJSRST24116110111:6(554-564)Online publication date: 12-Dec-2024
https://doi.org/10.32628/IJSRST241161101
Zhan QHu XLi ZXia XLo DLi SRoychoudhury APaiva AAbreu RStorey M(2024)PS3: Precise Patch Presence Test based on Semantic Symbolic SignatureProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639134(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639134
Chen YLi YPan ZLu YChen JJi S(2024)URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.333588519(1251-1266)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3335885
Yang TJiang ZWang Y(2024)LLMSQLi: A Black-Box Web SQLi Detection Tool Based on Large Language Model2024 5th International Conference on Big Data & Artificial Intelligence & Software Engineering (ICBASE)10.1109/ICBASE63199.2024.10762654(629-633)Online publication date: 20-Sep-2024
https://doi.org/10.1109/ICBASE63199.2024.10762654
Marinelli RErdődi LSommervoll ÅZennaro F(2024)Extending Q-Learning Agents in SQLi Environments2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778889(1-6)Online publication date: 28-Oct-2024
https://doi.org/10.1109/CARS61786.2024.10778889
Brandi CPerrone GRomano S(2024)Sniping at web applications to discover input-handling vulnerabilitiesJournal of Computer Virology and Hacking Techniques10.1007/s11416-024-00518-020:4(641-667)Online publication date: 12-Apr-2024
https://doi.org/10.1007/s11416-024-00518-0
Al Wahaibi SFoley MMaffeis SCalandrino JTroncoso C(2023)SQIRLProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620578(6097-6114)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620578
Chaleshtari NPastore FGoknil ABriand L(2023)Metamorphic Testing for Web System SecurityIEEE Transactions on Software Engineering10.1109/TSE.2023.3256322(1-43)Online publication date: 2023
https://doi.org/10.1109/TSE.2023.3256322
Pružinec JQuynh N(2023)Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00039(384-393)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00039
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents